NSA director addresses Black Hat, says there have been “zero abuses” of data

But "safeguards" against abuse are based on policy, not technology.

LAS VEGAS—At the Black Hat security conference today, National Security Agency (NSA) Director Keith Alexander defended the NSA's data collection programs and described at a high level what data is collected and how it's used.

His presentation covered two programs, both revealed by Edward Snowden: telephone metadata collection and a program of collecting from the computer industry data relating to foreign nationals, of which PRISM is a component. According to Alexander, the phone metadata collection, authorized under FISA section 215, was both limited and tightly controlled. The NSA collects only the time and date of a call, the phone numbers involved in a call, the duration of a call, and the service provider that captured the information. Notably, he said that names, address information, and location information were not captured. Nor was any conversation data collected, such as the contents of voice calls or text messages.

While this data was collected, Alexander said that access to the information was tightly restricted. Free-for-all queries weren't permitted. Instead, numbers had to be individually approved by one of 22 people at the NSA, and only 35 analysts within the agency were authorized to run queries on those numbers. In 2012, he said that fewer than 300 numbers were added to the list.

The NSA can send information about numbers to the FBI. The FBI can then use National Security Letters to demand name and address information from phone companies, and after showing probable cause, the agency can obtain warrants to request data.

The collection of data relating to foreigners was authorized under FISA section 702. Alexander asserted that this plan cannot target any US citizens, regardless of where they are. He also contradicted the claim made by the Guardian newspaper that the NSA has direct access to major technology companies, saying that there's no unilateral access by the US government to the servers of US companies, and that instead, the companies are legally compelled to hand over data.

Justifying all this, Alexander said that terrorists use these communications systems. After the September 11th attacks, the intelligence community was criticized by the 9/11 Commission for failing to connect the dots between fragments of information that had been collected. These programs are the intelligence community's response and have been used to disrupt 54 "terror-related activities," including 13 in the US.

Alexander gave the concrete example of the 2009 subway bombing plot by Najibullah Zazi, a plot previously linked to the PRISM program. Under the section 702 program, the NSA intercepted e-mail communications between Najibullah Zazi and a Pakistani terrorist. Zazi's phone number was then added to the list of authorized phone numbers for the section 215 scheme, and this revealed communication with another phone number. This second phone number was given to the FBI, and the FBI linked it to Adis Medunjanin, a previously unknown co-conspirator.

Alexander's demeanor was sincere throughout. Foreign intelligence saves lives, he said, and he was dismayed that the NSA's reputation was tarnished due to the incomplete information that had been revealed about its activities. He consistently said that he welcomed the discussion with the community about the trade-offs between privacy and security, but he simultaneously argued for secrecy in order to limit the information disclosed to terrorists, apparently ignoring the irony that thanks to this secrecy, any meaningful discussion is impossible anyway.

The audience reaction was mixed. There were a few heckles: Alexander's claim that "We stand for freedom" was swiftly met with a cry of "Bullshit!" from the crowd. When someone demanded that he "read the constitution," Alexander responded with "I have. You should too," which received warm applause.

But overall, his presentation did little to reassure those suspicious of government data collection efforts. Though he said that the FISA court was no mere rubber stamping operation, the major constraint on misuse of the data was policy. The systems were "100 percent auditable" and the general claimed that there had been "Zero abuses of NSA PRISM, and that's no bullshit." Fundamentally, however, the claim was not that the NSA can't access and abuse this data—it's merely that it doesn't.

Exactly. Notice that he didn't specify how many audits occur, so his claim is likely true, or at least true in the sense General Alexander understands truth. To his knowledge, no abuses have occurred, because no meaningful audits have occurred.

The point isn't that data supposedly hasn't thus far been abused. It's that the data exists, and thus can be abused. The mere existence of the data in the hands of the government is an abuse of the data.

Guy's a complete liar. Don't believe a word he says. Do a search on XKeyScore and check out documents that The Guardian released today to see what a low-level analyst can do with your data. They can even track you through VPNs. Snоwdеn wasn't hyping it up when he said he could see everything you do.

Every public statement they make is a lie. If they tell you it's sunny outside, you can bet that it's raining. They lie to Congress, they lie to the public, they lie to the President. When they go home at night, they lie to their wives and kids. They have a secret court where defendants are not allowed to attend, and are not even told they are on trial. They have an unlimited secret budget that nobody can check. They appear to be mostly controlled by the contractors and companies that sell them services. Private parties are helping themselves to public money, creating a surveillance state for unknown reasons under the guise of fighting terrorism.

I used to think that they couldn’t get away with lying to Congress but considering that Clapper lied and wasn’t charged, it's clear to me that you can never believe anything these NЅА/Intel people say.

He also contradicted the claim made by the Guardian newspaper that the NSA has direct access to major technology companies, saying that there's no unilateral access by the US government to the servers of US companies, and that instead, the companies are legally compelled to hand over data.

Yep, we don't need direct access to your servers...we just need to issue a National Security Letter and have you hand it over, no questions asked.

Is the government application of secrecy provisions to the operation of such programs a necessary price to mitigate potential attacks on citizens? Perhaps it is, perhaps not.

Are some of the people taking issue with an elected government having those secrecy provisions the same who trade their privacy for free widgets and services from private companies who monetize that information? Perhaps they are, perhaps not.

This is when the general loses all credibility. The information is gathered using technology, both software and hardware. All software has bugs. All hardware has bugs. No matter how air tight the perception of the technology is, there are flaws that can be exploited intentionally or unintentionally which can lead to abuses.

In general, technology can be trusted to be more reliable than humans. You can think that you know a person 100%, but you don't. There are people you have known for 30+ years that will do things you thought impossible. People lie. People cheat. People steal. People hide embarassing mistakes. People withhold information from their boss in order to not be fired. People abuse power for selfish motives.

So, his assertion that abuses don't happen due to human oversight rather than some technical marvel doesn't fill me with any confidence and just shows how laughably obtuse his statement of "zero abuses" is. Either he is extremely self-deluded, in which case he should not have the position that he has, or he is lying to desperately try to regain credibility for the organization either due to personal motivation or pressure from elsewhere in the government.

He says that he's read the Constitution. I don't believe him. The conference attendees should have said likewise.

Reading the constitution does not mean that you comprehend the deeper meaning and intent. Even if you fully comprehend the document, it does not mean that you agree with it and it does not imply that you are unwilling to bend or ignore the constitution when you believe it is in the greater good.

Fundamentally, however, the claim was not that the NSA can't access and abuse this data—it's merely that it doesn't.

This is the issue. If even the head of the NSA demures to show safeguards, then why should we trust?

Trust is never sufficient unless backed by some sort of evidence. It certainly isn't a reason to grant the government a long-term record of everything occurring online.

Once you have someone like him retreating to an argument of "but we haven't abused it yet", they have really lost the argument. The whole problem with this tech is not how they are abusing it now but how the next regime can abuse it. He's helping to build a police state and he's kidding himself it won't be abused.

Besides, the fact that this tech is being used already demonstrates a "breakdown in policy".

Seriously, the only way to prevent abuse is to design the software that would REQUIRE an approval code or authorization code from the FISA court in order to even begin searching for any emails or phone records. Apparently, according to the latest leak, it isn't so. In fact, the entire process is very administrative. A click there and click here, ban, someone is reading your emails.

Terrorists use these communications systems. Great so we let go of our freedom for that reason? They also live in homes. Do we accept searches of our homes next? It blows my mind thinking back to all the propaganda I used to read about Russia, the KGB, etc, when I read about the things going on now. How are we (we=gov't) different now?? Can someone please explain that to me??

Fundamentally, however, the claim was not that the NSA can't access and abuse this data—it's merely that it doesn't.

This is the issue. If even the head of the NSA demures to show safeguards, then why should we trust?

Trust is never sufficient unless backed by some sort of evidence. It certainly isn't a reason to grant the government a long-term record of everything occurring online.

I am not bothered by the fact that the NSA has a secret database. I'm not bothered by its anti-terrorism activities. I further accept the government may need to gather intelligence on targets through non-standard means. A police officer who witnesses a crime is legally allowed to pursue a suspect into a home without a warrant under the conventional system because we recognize that, in certain narrow circumstances, it may be in the public's best interest to prevent a crime in progress.

The problem I have with the current system is that the NSA and FBI can go to the FISC, obtain a warrant, obtain information using that warrant, and is under no obligation, even at trial, to detail why or how that warrant was obtained. There is a court-sanctioned blanket of secrecy that can be used to shroud information that might be vital to a person's defense.

We acknowledge that evidence illegally obtained cannot be used in a court of law in other affairs, but have ignored this legal precept in the name of fighting terrorism. I think that should change. It might mean creating a group of lawyers with top secret clearance that are allowed to serve as counsel for defendants in these situations, but the FISC should not be an entirely one-sided organization.

Huh... zero abuses. Sounds pretty great. It would be nice if the government would provide a definition of what they consider the definition of abuse to be in this sentence. However, that definition is probably a state secret and would endanger "national security."

Fundamentally, however, the claim was not that the NSA can't access and abuse this data—it's merely that it doesn't.

This is the issue. If even the head of the NSA demures to show safeguards, then why should we trust?

Trust is never sufficient unless backed by some sort of evidence. It certainly isn't a reason to grant the government a long-term record of everything occurring online.

I am not bothered by the fact that the NSA has a secret database. I'm not bothered by its anti-terrorism activities. I further accept the government may need to gather intelligence on targets through non-standard means. A police officer who witnesses a crime is legally allowed to pursue a suspect into a home without a warrant under the conventional system because we recognize that, in certain narrow circumstances, it may be in the public's best interest to prevent a crime in progress.

The problem I have with the current system is that the NSA and FBI can go to the FISC, obtain a warrant, obtain information using that warrant, and is under no obligation, even at trial, to detail why or how that warrant was obtained. There is a court-sanctioned blanket of secrecy that can be used to shroud information that might be vital to a person's defense.

We acknowledge that evidence illegally obtained cannot be used in a court of law in other affairs, but have ignored this legal precept in the name of fighting terrorism. I think that should change. It might mean creating a group of lawyers with top secret clearance that are allowed to serve as counsel for defendants in these situations, but the FISC should not be an entirely one-sided organization.

"A police officer who WITNESSES a crime" can pursue the suspect. He can't just pursue a random person who MIGHT have committed a crime. Very poor analogy to the current issue, IMHO.

Aside from that, a separate article speaking to the sheer volume of data collected and struggles the NSA has with simply storing it would make you think they would like the idea of being able to focus more narrowly on their targets.

So... Snowden leaking the structure and scope of the apparatus doesn't count, right?

Dunno...if someone steals your laptop and exposes the data on it to the world, is that your abuse or their abuse?

That would depend on how much reasonable care, based on the sensitivity of the data on the laptop, you exercised. Sensitive data without any encryption? Probably your fault. Sensitive data which was encrypted that someone stole and applied a supercomputer to decrypt? You'd probably be exhonerated.

Sensitive data, encrypted or not, that you should never have had to being with? Hmmmm....

This is completely Kafkaesque. The US government (and I'm sure the Canadian government is equally complicit is and receives this data, and I'm sure they have their own similar programs):a. covers everything under a blanket of secrecy;b. then legally prevents entities/people from talking about the data being hoovered under the auspices of the National Security Letters (NSLs) and other FISA tools;c. then denies that they are doing anything wrong;d. while simultaneously using extremely suspect intellectual/legal reasoning to justify their illegal (unethical? immoral?) actions;e. then prosecuting, to the fullest extent of their overwhelming power, players (whistleblowers) that reveal illegal (unethical? immoral?) actions;f. then covering-up / lying about their actions;g. then trying to provide post-hoc justifications for their actions;h. then FINALLY disclosing "TOP SECRET" documents

As a post-script - I'm Canadian, so these extralegal activity occurring in the US significantly affects me, and I have absolutely no recourse to avoid it. Awesome, eh?

The major reality of all the hype surrounding Edward Snowden has been the failure to produce any cases where particular people were substantially damaged by NSA practices. No doubt there are some real grounds for concern about the potential for abuse of that kind of information gathering that the NSA appears to have engaged in. But, there are many cases where excesses of American power have really hurt people. So far there is not much in the way of evidence that the NSA surveillance is one of them.

There's no evidence because it's a secret program overseen by a secret court that the public at large isn't even allowed to see the rulings of. Because of this, it's very hard to say whether there have or haven't been abuses of the data the agency has collected, because no one knows what the internal process is, who holds who accountable in the case of abuse, or even how "abuses" are being defined. The only assurance we have that this data isn't being used for someone's personal gain is the assurance of a General who has straight up lied to Congress (while under oath!) when asked questions regarding the program. It doesn't matter that he claims the process is "auditable" because no one who's accountable to the public at large is able to do the auditing. Even Congress doesn't get the whole picture, and enough of them are pissed enough about what's been revealed through Snowden's leaks that they're seriously thinking about defunding the program (I would encourage them to go a step further and prosecute the General for committing perjury and remove him from office, but I realize that that probably won't happen).

They really don't get it do they? It's completely irrelevant whether there's been 0 or 100 abuses. The mere fact that such databases and programs exist makes them available to the next Nixon (or worse) to come along. And then policy isn't worth jack shit.

I can't imagine any other country in the world where the head of a super-secret intelligence organisation - 4-star general - would go stand in front of a hacker audience to explain and defend its actions. This is exactly what needed to be done, and he had the courage to do it.

There was a thread on Reddit, long before the Snowden leaks, about "Creepy first impressions on a date" or something along those lines. One of the posts was about a girl who had a friend in the NSA who did a background check on the poster. During the date, the poster was presented with a list of websites he had been to, some from way back, even under a different ISP than his current one.

That's stuck in my head ever since, in part because it was such a low threshold for abusing the data. This privacy breech wasn't done because of some tearful breakup or suspicion of cheating, it was just because of a first date.

Maybe Alexander was telling the truth, with enough qualifications. To his knowledge, for this program, etc. But I have no reason to believe that what he said is actually *truthful*, and sufficient reason to believe it's not.

Foreign intelligence saves lives, he said, and he was dismayed that the NSA's reputation was tarnished due to the incomplete information that had been revealed about its activities. He consistently said that he welcomed the discussion with the community about the trade-offs between privacy and security, but he simultaneously argued for secrecy in order to limit the information disclosed to terrorists, apparently ignoring the irony that thanks to this secrecy, any meaningful discussion is impossible anyway.

This, right here, is probably the biggest problem. They're arguing the program needs to be secret, and complaining that their reputation was tarnished by "incomplete information"? It's incomplete because it's a secret program, for fucks sake. If this program had been started, in public, with well-established publicly disclosed safeguards, regular audits for abuse (by a trusted third party, not a secret court and/or unknown members of the NSA itself), and public discussion of exactly what was going to happen and exactly what was being gathered, then we could have a meaningful discussion.

Instead, they ran the program in secret, with a secret court, no public disclosure of any kind whatsoever, no third-party oversight, and lied about it. There is zero trust or meaningful discussion possible after that, and the only course of action that might allow discussion is to shut it, and possibly the organization behind it, down completely. Then we could talk about collecting metadata. Talk, not do it for sure: but maybe discuss doing it (although, at this point I think it's too late to even talk about it: they've proven they can't handle it right, so there is little room left for discussion).